Class: VpcCriticalPortsAudit::CheckingSensiblePorts

Inherits:
CriticalPortsAuditState show all
Defined in:
lib/scripts/ec2/vpc_critical_ports_audit.rb

Overview

Security groups retrieved. Start analysing them.

Instance Attribute Summary

Attributes inherited from ScriptExecutionState

#context, #logger

Instance Method Summary collapse

Methods inherited from CriticalPortsAuditState

load_state

Methods inherited from ScriptExecutionState

#done?, #end_state, #failed?, #initialize, #register_state_change_listener, #start_state_machine, #to_s

Methods included from StateTransitionHelper

#attach_volume, #connect, #copy_distribution, #create_fs, #create_labeled_fs, #create_snapshot, #create_volume, #create_volume_from_snapshot, #delete_snapshot, #delete_volume, #detach_volume, #determine_file, #disable_ssh_tty, #disconnect, #ec2_handler, #ec2_handler=, #enable_ssh_tty, #get_aws_kernel_image_aki, #get_aws_region_from_endpoint, #get_partition_fs_type, #get_partition_fs_type_and_label, #get_partition_label, #get_root_device_name, #get_root_partition_fs_type, #get_root_partition_fs_type_and_label, #get_root_partition_label, #get_root_volume_id, #launch_instance, #local_decompress_and_dump_file_to_device, #local_dump_and_compress_device_to_file, #mount_fs, #mount_fs_old, #register_snapshot, #remote_copy, #remote_copy_old, #remote_handler, #remote_handler=, #retrieve_instances, #retrieve_security_groups, #shut_down_instance, #snapshot_accessible, #start_instance, #stop_instance, #unmount_fs, #upload_file, #zip_volume

Methods included from VCloudTransitionHelper

#retrieve_ip_services

Constructor Details

This class inherits a constructor from ScriptExecutionState

Instance Method Details

#enterObject 



54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
 
# File 'lib/scripts/ec2/vpc_critical_ports_audit.rb', line 54

def enter
  @context[:result][:affected_groups] = []
  @context[:security_groups]['securityGroupInfo']['item'].each() do |group_info|
    #check only VPC SecurityGroups
    next if group_info['vpcId'].nil? || group_info['vpcId'].empty? 
    post_message("checking VPC SecurityGroup '#{group_info['groupName']}'...")
    vpc = @context[:ec2_api_handler].describe_vpcs(:vpc_id => group_info['vpcId'])
    vpc_ref = "" 
    vpc_item = vpc['vpcSet']['item'][0]
    if !vpc_item['name'].nil? && !vpc_item['name'].empty?
      vpc_ref = vpc_item['name']
    else
      #XXX: shold be the same as "group_info['vpcId']"
      vpc_ref = vpc_item['vpcId']
    end
    igw = @context[:ec2_api_handler].describe_internetgateways()
    igw_ref = ""
    found = false
    igw['internetGatewaySet']['item'].each {|igw_item|
      break if found == true
      igw_id = igw_item['internetGatewayId']
      igw_item['attachmentSet']['item'].each {|vpc_item|
        if vpc_item['vpcId'].eql?("#{group_info['vpcId']}")
          igw_ref = igw_id
          found = true
          break
        end
      }
    }
    next if group_info['ipPermissions'] == nil || group_info['ipPermissions']['item'] == nil
    group_info['ipPermissions']['item'].each() do |permission_info|
      logger.debug("permission_info = #{permission_info.inspect}")
      next unless permission_info['groups'] == nil #ignore access rights to other groups
      next unless permission_info['ipRanges']['item'][0]['cidrIp'] == "0.0.0.0/0"
      #now check if a critical port is within the port-range
      #XXX: allow to skip the 'critical port' options if nil
      if @context[:critical_ports] == nil || @context[:critical_ports].empty?
        port = nil
        if permission_info['fromPort'].to_i == permission_info['toPort'].to_i
          port = permission_info['fromPort'].to_i
          post_message("=> found unique port: #{port}")
        end
        @context[:result][:affected_groups] << {:name => group_info['groupName'],
              :from =>  permission_info['fromPort'], :to => permission_info['toPort'], 
              :concerned => port, :prot => permission_info['ipProtocol'], 
              :vpc_ref => vpc_ref, :igw_ref => igw_ref}
        post_message("=> found at least one port publicly opened")
      else
        @context[:critical_ports].each() do |port|
          if permission_info['fromPort'].to_i <= port && permission_info['toPort'].to_i >= port
            @context[:result][:affected_groups] << {:name => group_info['groupName'],
              :from => permission_info['fromPort'], :to => permission_info['toPort'], 
              :concerned => port, :prot => permission_info['ipProtocol'], 
              :vpc_ref => vpc_ref, :igw_ref => igw_ref}
            post_message("=> found publically accessible port range that contains "+
                "critical port for group #{group_info['groupName']}: #{permission_info['fromPort']}-#{permission_info['toPort']}")
          end
        end
      end
    end
  end
  Done.new(@context)
end